2. Agenda
ï” Introduction to SOC and SIEM
ï” SOC â What, Why and How
ï” SIEM - Tools and terminology
ï” Threat Hunting
ï” CyberKill Chain
ï” APT - Advanced persistent threats
ï” IoC -Indicators Of Compromise
ï” IoA - indicators of attack
ï” TTP - Tactics, Techniques and Procedures
2
3. SOC
ï” A security operations center
(SOC) is a facility that houses an
information security team
responsible for monitoring and
analyzing an organizationâs
security posture on an ongoing
basis. The SOC teamâs goal is to
detect, analyze, and respond to
cybersecurity incidents using a
combination of technology
solutions and a strong set of
processes.
3
SOC
protect
report
identify
investigate
9. IOC
ï” virus signatures
ï” IP addresses
ï” URLs or domains
ï” hash values
ï” registry keys
ï” filenames,
ï” HTTP user agents
Open Source Threat Intel :-
ï” OTX,OpenIOC,STIX,cybox
9
10. IOA
ïŹ Series of actions that an
adversary must conduct in order
to succeed.
ïŹ All actions done by the
attacker in order to prepare his
attacks.
ïŹ All the âsignsâ left by the attacker
in earlier stages of the attack.
Indicators
of Attack
11. IoC vs. IoA
ï” IoCâs are reactive indicators while IoAâs are
proactive indicators
ï” IoCâs can be used after a point in time,
while IoAâs are used in real time
ï” IoCâs are known, universal bad news, while
IoAâs only become bad based on what
they mean to you and the situation
11